US government agency paid $1M for data breach

The TL;DR
A US government agency paid nearly $1m to the Kairos fraud group to keep stolen files secret, according to a Ransom-ISAC case study based on leaked chat and blockchain analysis. Clues point to Union County, Ohio, although neither party has confirmed it. The case shows how much of today’s “ransomware” doesn’t involve encryption at all.
A US government agency paid nearly $1m to stop the stolen files from being published, according to research by researcher Rakesh Krishnan of Ransom-ISAC. The analysis draws on the leaked conversation and the blockchain tracks the payment backlog.
The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Reportedly, Krishnan found no encryptor, no locker, and no need for a decryption key, just stolen files and a price to keep them private.
The lawsuit doesn’t name the victim, but files on samples of evidence of the theft, including an archive called union.rar, point to Union County, Ohio. Neither the district nor Kairos have confirmed the connection, and The Hacker News says it has reached out to the district for comment.
The clues correspond to the actual incident. In May 2025, Union County discovered ransomware on its network and later notified 45,487 people that data including Social Security numbers, fingerprints, and passport information had been taken.
If the ID still exists, the county of about 70,000 residents made a $1m payment that it has never publicly disclosed. The attacker reportedly relied heavily on a folder labeled “prosecutor’s office”, warning that the leak would help criminals avoid charges.
Anatomy of a $1m deal
The negotiations lasted about a month, according to the case study. Kairos opened at $3m and claimed to hold more than 2TB of data across 1.6 million files.
The region reportedly counted $100,000 and went as high as $430,000, with Kairos dropping to $2m before settling on a final $1m deadline. The victim paid on June 13, 2025, ten times the opening.
The estimated payout of 9.44 bitcoin was equivalent to $1m at that week’s market prices. Within hours it was reported to have been compromised and moved through a chain of wallets to deposits on Bybit, OKX, and BELQI, a Russian service that recalls previous ransomware attacks on WEX and BTC-e.
This kind of tracking gives investigators clues rather than identities. Hackers have spent years perfecting the way they launder cryptocurrency through mules, mixers, and freely regulated exchanges.
Whether the money was bought is another question. Kairos has provided a “proof of deletion” file, but the list of files only proves the attacker has a hold of the data, and promises to delete the stolen data from before.
Ransomware without ransomware
Union County described the incident as ransomware, however nothing in the Kairos case was ever encrypted. A growing share of what still carries that label is now bypassing lockers entirely and using the stolen data itself as a pressure point, a playbook for the latest fraud-only breaches aimed at the private sector.
Sophos reported by 2025 that nearly half of ransomware attacks will involve encryption, down from 70% last year and the lowest level in six years. The Silent Ransom Group, an offshoot of the Conti ecosystem, has spent years operating free extortion from US law enforcement agencies, drawing repeated warnings from the FBI.
The bargaining arc is also common. When Black Basta’s internal negotiations were leaked in February 2025, one deal went from an asking $1.5m to a counter of $100,000 and a $1m fee, almost the same curve.
Kairos itself is silent, its leak site is offline and its last known victim was sent in June 2026, according to the case study. The linked fund is reportedly still moving funds in May, so the black hole should not be read as a retirement group.
Bad lessons
For small government networks, the takeover is deliberately dim. Kairos said it logged in by password guessing, so multi-factor authentication and notifications on repeated failed logins would have increased login costs significantly.
Defenders should also watch outgoing transfers and dump file-sharing links, such as the tem.sh addresses used by the attacker, and keep legal and citizen records isolated from the wider network. Above all, a stolen data thief’s receipt costs exactly what it costs to type.



